Saturday, May 3, 2014

The SeND protocol can protect our network against non-authorized
routers which can send RA messages. To mitigate the risk you can enable
IPv6 SeND protocol. All RA messages will be accepted only from devices
with a valid certificate and from source IP with CGA enabled (Cryptographically Generated Addresses). Let’s test this feature working on the
following scenario:

As we see we can now ping R1, only with ‘cga’ enabled but without a
valid certificate from PKI Server (r1). Let’s enable routing on r2 and
r3 and then we check if r1 accepts routing from them:
The routing table on r1 before enabling ‘ipv6 unicast-routing’ on r2 and r3: